Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,"%LOCALAPPDATA%\Pic1fPBkmq\LOHejsSdpL.exe" -s'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe,"%APPDATA%\Java\Jusched.exe",'
- installutil.exe
- %TEMP%\v2rxkpl5af.exe
- %LOCALAPPDATA%\pic1fpbkmq\lohejssdpl.exe
- %TEMP%\advancedrun.exe
- %APPDATA%\java\jusched.exe
- %TEMP%\installutil.exe
- %LOCALAPPDATA%\pic1fpbkmq\lohejssdpl.exe
- %TEMP%\advancedrun.exe
- '%TEMP%\v2rxkpl5af.exe'
- '%TEMP%\advancedrun.exe' /EXEFilename "<SYSTEM32>\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
- '%TEMP%\advancedrun.exe' /SpecialRun 4101d8 2856
- '%TEMP%\advancedrun.exe' /EXEFilename "<SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir '%ALLUSERSPROFILE%\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
- '%TEMP%\advancedrun.exe' /SpecialRun 4101d8 2964
- '%TEMP%\installutil.exe'